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3 Field of the Invention 

4 This invention relates generally to connection to the Internet for computers that 

5 are not within their original ISP region. More particularly, the present invention is a 

6 system and method for a dial-up roaming architecture that allows Internet connections for 

7 individuals who are not within their original ISP region. 

8 Background of the Invention 

9 Internet connection is typically accomplished by an Internet Service Provider 

10 (ISP) signing up an individual who can then sign on to the Internet via connectivity that is 

1 1 provided by the ISP. This typically takes the form of a dial-up modem or other type of 

12 Internet connection via the ISP. In the case of a cable internet infrastructure, the 

13 connection is via a cable modem. In the case of a digital subscriber line (DSL) internet 

14 infrastructure, the connection is via a DSL modem. Thereafter, the user can access the 

15 Internet based upon the speed of the connection to the ISP. 

16 A problem occurs when an individual user is no longer present within the region 

17 that is covered by the cable or DSL ISP. This occurs when individuals are traveling or 

18 "roaming" to an area other than the area where service is provided by the user's ISP. 

19 When using a cellular telephone, this procedure is very commonly encountered by 

20 travelers who go from one geographic region to another. Basically travelers are then 

21 assigned to a roaming status and their presence within a particular calling area is noted 

22 with information subsequently provided to the home network, allowing home network to 

23 contact the user who is "roaming." 
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1 To solve this problem, currently many users keep a dial-up ISP such as the 

2 Microsoft Network to allow them to have access to the Internet when they are away from 

3 home. This avoids some of the issues associated with different formats that support dial- 

4 up roaming but does not allow, for example, access to the features of a cable internet 

5 connection. 

6 Currently, one such protocol that can be used as a directory service to allow 

7 people to locate other people on the Internet is called the Lightweight Directory Access 

8 Protocol or LDAP. LDAP is a directory service specification that is generally accepted 

9 in the Internet. Such a directory service allows people to locate other people or services. 

10 Such a directory service is basically a database that can be searched and manipulated in a 

1 1 number of ways to display information about a network and its resources. One such use 

12 is to create and manage user accounts including access by registered users to LDAP 

1 3 enabled networks . 

14 Although LDAP service is widely accepted over the Internet, there are many 

15 Internet Service Providers who are not LDAP compatible or enabled. These non-LDAP 

16 networks may be affiliated with other networks which are LDAP enabled. In such cases 

17 it is difficult to verify that a user is authorized to use a non-LDAP network when the user 

18 is trying to access the network via dial-up connection. While LDAP does provide a 

19 good solution to support and authenticate users who are roaming, for those ISPs who are 

20 not LDAP enabled, to upgrade to a standard LDAP architecture requires expensive 

21 architectural changes that many ISPs are not inclined to make. 

22 Many such non- LDAP ISPs use different subscriber management systems 

23 (generally referred to herein as SMS) with differently formatted databases. If a user is 

2 



1 roaming and is attempting to connect to as a subscriber from a non- LDAP region, any 

2 subscriber management system in the non- LDAP region would need to be kept in 

3 synchronization with an authentication database that exists in centralized LDAP database. 

4 To date, there is no efficient access to data for authentication purposes from a non- LDAP 

5 region to an LDAP region. 

6 What is therefore required is a system and method for allowing users to roam 

7 outside of their home regions and to log on to their respective ISPs via dial-up 

8 networking whether the home region is LDAP enabled or not. 

9 Summary of the Invention 

10 It is therefore an objective of the present invention to allow users to roam freely, 

1 1 yet connect to ISPs at different locations and access their home LDAP enabled 

1 2 authentication region. 

13 It is a further objective of the present invention to allow users to connect to non- 
14 LDAP based authentication regions and to allow subsequent authentication to take place 

15 in an LDAP region. 

16 It is a further objective of the present invention to enable a cable modem or DSL 

17 subscriber whose account is assigned to a non- LDAP authenticated site to be able to 

18 roam across the country and have access to such services when they are away from their 

19 cable modem, i.e., connecting to an ISP where they are located. 

20 It is a further objective of the present invention to allow access to a cable modem 

21 or DSL infrastructure using a telephone modem dial-up connection. 

22 It is yet another objective of the present invention to create a regional remote 

23 authentication dial-in user service (RADIUS) so that secure authentication can take place. 



3 



1 It is yet another objective of the present invention to create an authentication 

2 mechanism so that secure authentication can take place regardless of the format of 

3 information in the subscriber management database. 
4 

5 These and other objectives of the present invention will become apparent to those 

6 skilled in the art from a review of the specification that follows. 

7 The present invention allows a user to be away from the user's cable modem 



8 connection and use a local dial-roaming telephone number, and analog modem, together 

9 with client dial-up software to dial into a local Dial Access Provider (DAP). The DAP 
10 forwards an access request over a Network Access Server (NAS) over a local Internet 



11 network. 

12 That request for access proceeds to a corporate RADIUS server which 

13 authenticates the request of the user against an LDAP database. If the user is 

14 authenticated against the directory of the LDAP database, access to the cable modem 

15 services are allowed. 

16 Operating in this mode, the NAS operates as a client of the corporate RADIUS 

17 server. The NAS is responsible for passing user information to the corporate RADIUS 

18 server and then acting on the response that is returned. 

19 The corporate RADIUS server receives user connection requests, authenticates 

20 the user, and provides configuration information to the NAS to deliver service to the user 

21 who is dialing in. 
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1 Transactions between the corporate RADIUS server and the NAS are 

2 authenticated through unique identification and exchange of secret information relating to 

3 identity. This information is not sent in the clear over the network. 

4 The NAS creates an access request containing such attributes as the user name 

5 and password. The access request is sent to the corporate RADIUS server for 

6 authentication. The RADIUS server then determines to which region the user belongs by 

7 comparing the user's region which is, in part a function of a naming convention such as 

8 (user name@ region.rr.com). This is compared against the region's site type in the 

9 configuration file, that is, LDAP or non- LDAP. If the region is an LDAP region, the 

10 authentication request is forwarded to the regional LDAP database. The LDAP database 

1 1 then checks its database directory and, if the user is present in the database and password 

12 is correct returns an "accept" message or a "deny" message if the user is not in the 

13 database. 

14 If the region in which the user is located is not an LDAP based region, the 

15 corporate RADIUS server will proxy to an appropriate regional RADIUS server. The 

16 regional RADIUS, having received the authentication request in the form of a user name 

17 and CHAP hashed password, retrieves the user's clear text password from the subscriber 

18 management system (SMS) or account management system (AMS) associated with the 

19 non- LDAP region. The system then hashes the clear text password from the SMS/AMS 

20 database using the Challenge Handshake Authentication Protocol (CHAP) and compares 

21 it to the incoming password which is, in the preferred embodiment, also CHAP hashed 

22 and returns an "accept" message if the user is present in the SMS/AMS database or a 

23 "deny" message if the user is not present in the database. When the passwords are CHAP 
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1 hashed as noted above, the presence of the password and comparison to the transmitted 

2 password is accomplished by comparing the two hashes. If they exactly mathc, then the 

3 suer is poresent in the datbase and an "accept" message is transmitted. If the hashes do 

4 NOT match, the a "deny" message is sent. It should be noted that the CHAP hashing is 

5 not meant as a limitation. Passwords may be sent "in the clear" although this is not 

6 recommended for security reasons, or other hasing algorithms can be use to hash the 

7 password that are sent and compared. 

8 It is also within the scope of the present invention to perform the hashing of 

9 passwords noted above regardless of the type of region (LDAP/non-LDAP) in which the 

10 user and the users access service is located 

1 1 Regardless of the site type, user names and passwords are hashed so as not to be 

12 sent in clear text, thereby affording an additional element of security. 

13 When a user completes a dial-in session, the user is disconnected. The NAS 

14 server then notifies the corporate RADIUS that the dial-in session has terminated. 

15 The system has the advantage of not requiring major upgrades to non-LDAP 

16 regions. For example, for an SMS site, no new hardware would be required since a 

17 regional RADIUS will be installed on the existing SMS servers. For AMS sites, an 

18 upgrade can be accomplished in a cost effective fashion by using, for example and 

19 without limitation, a Compaq Proliant 3000 256 megabytes of RAM and mirrored 5 GB 

20 disk drives. Such a system would operate using Windows NT 4.0 and other software 

21 generally known in the art. 

22 Brief Description of the Figures 

23 Figure 1 is an overall architectural view of the present invention. 
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1 Detailed Description of the Invention 

2 As noted above, the present invention is a system and method for allowing both 

3 LDAP and non-LDAP users to freely roam in different regions of the country and 

4 connect to all of the cable or DSL network functionality via dial-up connection. 

5 Users 10 and 12 who are roaming outside of the service region of the cable 

6 network provider connect via a dial-up modem connection, or other type of wired or 

7 wireless connection to a network access server 14. Naming conventions for users who 

8 are roaming allow user 10, for example, who is serviced via an LDAP region to access 

9 email and other cable network features by virtue of the email address. Regions with 

10 LDAP service and regions without LDAP service are differentiate by virtue of their 

1 1 addresses. The network access server 14 connects to the local Internet Service Provider 

12 16 and, via a dedicated communication line 18, which may, for example, be a Tl line. 

13 However, this is not meant as a limitation. Any dedicated high bandwidth line or access 

14 both wired and wireless would be suitable for the present invention. The local ISP then 

15 connects to the corporate RADIUS server 20 for those users who are in a region that is 

16 LDAP enabled. The corporate RADIUS server 20 communicates with the LDAP 

17 regional server 24 to determine if the user is in the LDAP database 26. If the user is in 

18 the LDAP database 26. The regional LDAP server 24 authenticates the user to the 

19 corporate RADIUS server 20 which then sends the appropriate accept or deny signal 

20 through the communication link 18 over the local ISP 16 through the network access 

21 server 14, to the roaming customer 10. 

22 If the customer is in a non-LDAP region, customer 12 dials in via the network 

23 access server 14, over the local ISP 16 and again over dedicated network 18 to the 
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1 RADIUS server 22. The RADIUS server then proxies the request for access to a regional 

2 RADIUS server 28 which connects to the non- LDAP region server 30 which in turn has 

3 a subscriber management system (SMS) or account management system (AMS) database 

4 32. Through a view into the non- LDAP region server 30, the system determines if the 

5 roaming customer 12 is permitted access. If such access is permitted, a message is sent 

6 by the non-LDAP region server 30 to the regional RADIUS 28 to the RADIUS server 22. 

7 Thereafter the accept or deny signal is sent via the dedicated network 18 via the local ISP 

8 16 over the network access server 14 to the roaming customer 12. 

9 In this fashion, roaming customers who are in a region which is non- LDAP 

10 enabled can still use an access cable or DSL service via a regional RADIUS server which 

11 is a relatively inexpensive upgrade to existing systems. Thus, non- LDAP enabled 

12 regions do not have to engage in expensive upgrades in order to allow roaming customers 

13 to have access to their systems. 

14 A system and method to allow roaming customers to have access to LDAP or 

15 non- LDAP enabled regions has now been illustrated. It will be appreciate by those 

16 skilled in the art that other variations of the present invention are possible without 

17 departing from the scope of the invention as disclosed. 
18 

19 
20 
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1 LA method for dial roaming for users having a home non-LDAP 

2 (Lightweight Directory Access Protocol) region to allow access comprising: 

3 dialing into a local dial access provider; 

4 creating an access request ; 

5 forwarding the dial access request to a corporate remote authentication dial-in 

6 user service (RADIUS) server; 

7 proxying the request to a regional RADIUS server associated with the user's 

8 home region; 

9 accessing the regional user database to determine if the user is present in the 

10 regional database; 

1 1 authenticating the user; and 

12 providing configuration information to the user to allow access to the network. 

13 2. The method for dial roaming of claim 1 wherein the access request is 

14 forwarded to an access provider via a network access server (NAS). 

15 3 . The method of claim 2 wherein the NAS functions as a client of the 

16 corporate RADIUS server. 

17 4. The method of claim 1 further comprising: 

18 the corporate RADIUS server determining if the user is a member of an LDAP or 

19 non-LDAP region. 

20 5 . The method of claim 4 wherein the determining if the user is a member of an 

21 LDAP or non-LDAP region is accomplished by reviewing a configuration file 

22 stored in the corporate RADIUS server. 
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